CWE-208
AllowedObservable Timing Discrepancy
Abstraction: Base · Status: Incomplete
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
306 vulnerabilities reference this CWE, most recent first.
CVE-2025-7383 (GCVE-0-2025-7383)
Vulnerability from cvelistv5 – Published: 2025-08-29 09:19 – Updated: 2025-08-29 13:46| Vendor | Product | Version | |
|---|---|---|---|
| Oberon microsystems AG | Oberon PSA Crypto |
Affected:
1.0.0 , ≤ 1.5.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T13:46:02.121244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T13:46:14.471Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"AES-CBC with PKCS#7 padding"
],
"product": "Oberon PSA Crypto",
"vendor": "Oberon microsystems AG",
"versions": [
{
"lessThanOrEqual": "1.5.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(248, 248, 248);\"\u003ePadding oracle attack vulnerability in \u003ci\u003eOberon microsystem AG\u003c/i\u003e\u2019s \u003ci\u003eOberon PSA Crypto\u003c/i\u003e library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Padding oracle attack vulnerability in Oberon microsystem AG\u2019s Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations."
}
],
"impacts": [
{
"capecId": "CAPEC-463",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-463 Padding Oracle Crypto Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T09:19:01.638Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.oberon.ch/security-advisories/cve-2025-7383/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected users should upgrade to \u003ci\u003eOberon PSA Crypto 1.5.1\u003c/i\u003e or later."
}
],
"value": "Affected users should upgrade to Oberon PSA Crypto 1.5.1 or later."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in Oberon PSA Crypto library",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-7383",
"datePublished": "2025-08-29T09:19:01.638Z",
"dateReserved": "2025-07-09T09:43:45.575Z",
"dateUpdated": "2025-08-29T13:46:14.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7071 (GCVE-0-2025-7071)
Vulnerability from cvelistv5 – Published: 2025-08-29 09:18 – Updated: 2025-08-29 12:07| Vendor | Product | Version | |
|---|---|---|---|
| Oberon microsystems AG | ocrypto |
Affected:
3.1.0 , ≤ 3.9.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T12:07:50.804088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T12:07:57.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"AES-CBC with PKCS#7 padding"
],
"product": "ocrypto",
"vendor": "Oberon microsystems AG",
"versions": [
{
"lessThanOrEqual": "3.9.1",
"status": "affected",
"version": "3.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(248, 248, 248);\"\u003ePadding oracle attack vulnerability in \u003ci\u003eOberon microsystem AG\u003c/i\u003e\u2019s \u003ci\u003eocrypto\u003c/i\u003e library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Padding oracle attack vulnerability in Oberon microsystem AG\u2019s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations."
}
],
"impacts": [
{
"capecId": "CAPEC-463",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-463 Padding Oracle Crypto Attack"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T09:18:06.911Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"url": "https://www.oberon.ch/security-advisories/cve-2025-7071/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected users should upgrade to \u003ci\u003eocrypto 3.9.2\u003c/i\u003e or later."
}
],
"value": "Affected users should upgrade to ocrypto 3.9.2 or later."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Timing side-channel vulnerability in AES-CBC decryption with PKCS#7 padding in ocrypto library",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2025-7071",
"datePublished": "2025-08-29T09:18:06.911Z",
"dateReserved": "2025-07-04T14:16:55.641Z",
"dateUpdated": "2025-08-29T12:07:57.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0693 (GCVE-0-2025-0693)
Vulnerability from cvelistv5 – Published: 2025-01-23 21:22 – Updated: 2025-10-14 18:42 Exclusively Hosted Service| URL | Tags |
|---|---|
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| AWS | AWS Sign-in IAM Login Flow |
Affected:
N/A
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0693",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T19:45:21.293722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:45:25.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"All"
],
"product": "AWS Sign-in IAM Login Flow",
"vendor": "AWS",
"versions": [
{
"status": "affected",
"version": "N/A"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVariable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account."
}
],
"impacts": [
{
"capecId": "CAPEC-215",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-215 Fuzzing for application mapping"
}
]
},
{
"capecId": "CAPEC-172",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-172: Manipulate Timing and State"
}
]
},
{
"capecId": "CAPEC-462",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-462: Cross-Domain Search Timing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T18:42:46.835Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-002/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"exclusively-hosted-service"
],
"title": "Issue with AWS Sign-in IAM User Login Flow - Possible Username Enumeration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2025-0693",
"datePublished": "2025-01-23T21:22:25.699Z",
"dateReserved": "2025-01-23T20:36:22.905Z",
"dateUpdated": "2025-10-14T18:42:46.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56738 (GCVE-0-2024-56738)
Vulnerability from cvelistv5 – Published: 2024-12-29 00:00 – Updated: 2024-12-31 18:15- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://savannah.gnu.org/bugs/?66603 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T18:14:04.755858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T18:15:24.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "GRUB2",
"vendor": "GNU",
"versions": [
{
"lessThanOrEqual": "2.12",
"status": "affected",
"version": "2.00",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.12",
"versionStartIncluding": "2.00",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-29T06:47:17.499Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://savannah.gnu.org/bugs/?66603"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56738",
"datePublished": "2024-12-29T00:00:00.000Z",
"dateReserved": "2024-12-29T00:00:00.000Z",
"dateUpdated": "2024-12-31T18:15:24.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52307 (GCVE-0-2024-52307)
Vulnerability from cvelistv5 – Published: 2024-11-21 17:14 – Updated: 2024-11-27 16:03- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/goauthentik/authentik/security… | x_refsource_CONFIRM |
| https://github.com/goauthentik/authentik/commit/5… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2024/11/27/1 |
| Vendor | Product | Version | |
|---|---|---|---|
| goauthentik | authentik |
Affected:
< 2024.8.5
Affected: >= 2024.10.0-rc1, < 2024.10.3 |
|
| goauthentik | authentik |
Affected:
0 , < 2024.8.5
(custom)
Affected: 2024.10.0-rc1 , < 2024.10.3 (custom) cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goauthentik:authentik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"lessThan": "2024.8.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2024.10.3",
"status": "affected",
"version": "2024.10.0-rc1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-21T21:05:39.091544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T21:05:44.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-27T16:03:20.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/11/27/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "authentik",
"vendor": "goauthentik",
"versions": [
{
"status": "affected",
"version": "\u003c 2024.8.5"
},
{
"status": "affected",
"version": "\u003e= 2024.10.0-rc1, \u003c 2024.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRET_KEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. authentik 2024.8.5 and 2024.10.3 fix this issue. Since the /-/metrics/ endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T17:14:51.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j"
},
{
"name": "https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/goauthentik/authentik/commit/5ea4580884f99369f0ccfe484c04cb03a66e65b8"
}
],
"source": {
"advisory": "GHSA-2xrw-5f2x-m56j",
"discovery": "UNKNOWN"
},
"title": "authentik allows a timing attack due to missing constant time comparison for metrics view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52307",
"datePublished": "2024-11-21T17:14:51.677Z",
"dateReserved": "2024-11-06T19:00:26.397Z",
"dateUpdated": "2024-11-27T16:03:20.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47178 (GCVE-0-2024-47178)
Vulnerability from cvelistv5 – Published: 2024-09-30 15:09 – Updated: 2024-09-30 16:01- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/expressjs/basic-auth-connect/s… | x_refsource_CONFIRM |
| https://github.com/expressjs/basic-auth-connect/c… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| expressjs | basic-auth-connect |
Affected:
< 1.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T16:01:21.696056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T16:01:32.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "basic-auth-connect",
"vendor": "expressjs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "basic-auth-connect is Connect\u0027s Basic Auth middleware in its own module. basic-auth-connect \u003c 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:09:59.513Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/expressjs/basic-auth-connect/security/advisories/GHSA-7p89-p6hx-q4fw"
},
{
"name": "https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/expressjs/basic-auth-connect/commit/bac1e6a8530e1efd0028800b9b588a37adb0d203"
}
],
"source": {
"advisory": "GHSA-7p89-p6hx-q4fw",
"discovery": "UNKNOWN"
},
"title": "basic-auth-connect\u0027s callback uses time unsafe string comparison"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47178",
"datePublished": "2024-09-30T15:09:59.513Z",
"dateReserved": "2024-09-19T22:32:11.962Z",
"dateUpdated": "2024-09-30T16:01:32.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45052 (GCVE-0-2024-45052)
Vulnerability from cvelistv5 – Published: 2024-09-04 15:43 – Updated: 2024-09-04 16:19- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/ethyca/fides/security/advisori… | x_refsource_CONFIRM |
| https://github.com/ethyca/fides/commit/457b0e9df9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ethyca:fides:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"lessThan": "2.44.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T16:19:06.969242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T16:19:47.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fides",
"vendor": "ethyca",
"versions": [
{
"status": "affected",
"version": "\u003c 2.44.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T15:43:52.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
},
{
"name": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4"
}
],
"source": {
"advisory": "GHSA-2h46-8gf5-fmxv",
"discovery": "UNKNOWN"
},
"title": "Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45052",
"datePublished": "2024-09-04T15:43:52.056Z",
"dateReserved": "2024-08-21T17:53:51.331Z",
"dateUpdated": "2024-09-04T16:19:47.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42368 (GCVE-0-2024-42368)
Vulnerability from cvelistv5 – Published: 2024-08-13 19:31 – Updated: 2024-08-14 13:38- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-c… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-collector-contrib |
Affected:
>= 0.80.0, < 0.107.0
|
|
| opentelemetry | opentelemetry_collector_contrib |
Affected:
0.80.0 , < 0.107.0
(custom)
cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opentelemetry:opentelemetry_collector_contrib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "opentelemetry_collector_contrib",
"vendor": "opentelemetry",
"versions": [
{
"lessThan": "0.107.0",
"status": "affected",
"version": "0.80.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T13:34:34.981446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:38:51.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-collector-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.80.0, \u003c 0.107.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension\u0027s server authenticator performs a simple, non-constant time string comparison of the received \u0026 configured bearer tokens. This impacts anyone using the `bearertokenauth` server authenticator. Malicious clients with network access to the collector may perform a timing attack against a collector with this authenticator to guess the configured token, by iteratively sending tokens and comparing the response time. This would allow an attacker to introduce fabricated or bad data into the collector\u0027s telemetry pipeline. The observable timing vulnerability was fixed by using constant-time comparison in 0.107.0"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T19:31:16.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/security/advisories/GHSA-rfxf-mf63-cpqv"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-collector-contrib/commit/c9bd3eff0bb357d9c812a0d8defd3b09db95699a"
}
],
"source": {
"advisory": "GHSA-rfxf-mf63-cpqv",
"discovery": "UNKNOWN"
},
"title": "open-telemetry has an Observable Timing Discrepancy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42368",
"datePublished": "2024-08-13T19:31:16.814Z",
"dateReserved": "2024-07-30T14:01:33.923Z",
"dateUpdated": "2024-08-14T13:38:51.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41741 (GCVE-0-2024-41741)
Vulnerability from cvelistv5 – Published: 2024-11-01 16:40 – Updated: 2024-11-01 17:24- CWE-208 - Information Exposure Through Timing Discrepancy
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | TXSeries for Multiplatforms |
Affected:
10.1
cpe:2.3:a:ibm:txseries_for_multiplatforms:10.1:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:24:15.428648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:24:30.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:txseries_for_multiplatforms:10.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "TXSeries for Multiplatforms",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system."
}
],
"value": "IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Information Exposure Through Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T16:40:49.569Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7174572"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM TXSeries for Multiplatforms information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-41741",
"datePublished": "2024-11-01T16:40:49.569Z",
"dateReserved": "2024-07-22T12:02:18.444Z",
"dateUpdated": "2024-11-01T17:24:30.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40640 (GCVE-0-2024-40640)
Vulnerability from cvelistv5 – Published: 2024-07-17 17:27 – Updated: 2024-08-02 04:33- CWE-208 - Observable Timing Discrepancy
| URL | Tags |
|---|---|
| https://github.com/matrix-org/vodozemac/security/… | x_refsource_CONFIRM |
| https://github.com/matrix-org/vodozemac/commit/73… | x_refsource_MISC |
| https://arxiv.org/abs/2108.04600 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| matrix-org | vodozemac |
Affected:
< 0.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40640",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T18:15:24.360907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T18:15:31.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.880Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq"
},
{
"name": "https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272"
},
{
"name": "https://arxiv.org/abs/2108.04600",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://arxiv.org/abs/2108.04600"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "vodozemac",
"vendor": "matrix-org",
"versions": [
{
"status": "affected",
"version": "\u003c 0.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vodozemac is an open source implementation of Olm and Megolm in pure Rust. Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material. The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper. This has been patched in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272 which has been included in release version 0.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T17:27:15.586Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-hfpq"
},
{
"name": "https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/vodozemac/commit/734b6c6948d4b2bdee3dd8b4efa591d93a61d272"
},
{
"name": "https://arxiv.org/abs/2108.04600",
"tags": [
"x_refsource_MISC"
],
"url": "https://arxiv.org/abs/2108.04600"
}
],
"source": {
"advisory": "GHSA-j8cm-g7r6-hfpq",
"discovery": "UNKNOWN"
},
"title": "Usage of non-constant time base64 decoder could lead to leakage of secret key material in vodozemac"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40640",
"datePublished": "2024-07-17T17:27:15.586Z",
"dateReserved": "2024-07-08T16:13:15.512Z",
"dateUpdated": "2024-08-02T04:33:11.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.